Shares tag: CHM • Shares 9 IOCs • Same author: Ahnlab • Published within a week
Changes Detected in CHM Malware Distribution
2023-08-09 • Ahnlab •
ASEC describes weekly changes in CHM malware impersonating Korean financial and insurance institutions, where execution begins through hh.exe, decompiled internal HTML, and a generated JSE script launched by wscript. One variant preserved registry-based persistence but changed download and execution behavior depending on whether AhnLab products were installed, while another directly dropped and executed a .NET payload. The newer payload structure resembled earlier samples but shifted from information theft toward reverse-connection backdoor behavior. The report links the activity to hashes, detection names, and infrastructure such as atusay.lat/kxydo and zienk.sbs/kjntf.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | https://atusay.lat/kxydo | 2023-07-20 | 2023-08-30 |
| DOMAIN | atusay.lat | 2023-07-20 | 2023-08-30 |
| HASH | 790c5f50942a502252a00b9878db9496 | 2023-08-02 | 2023-08-09 |
| HASH | 8d39335e67e797ad66c3953c3d6203ce | 2023-08-02 | 2023-08-09 |
| HASH | 7c949f375c56e7de7a3c4f0a9a19c4e5 | 2023-08-02 | 2023-08-09 |
| HASH | 258472c79fc3b9360ad560e26350b756 | 2023-08-02 | 2023-08-09 |
| HASH | 056932151e3cc526ebf4ef5cf86ae0b4 | 2023-08-02 | 2023-08-09 |
| URL | https://zienk.sbs/kjntf | 2023-08-02 | 2023-08-09 |
| DOMAIN | zienk.sbs | 2023-08-02 | 2023-08-09 |
Related Reports
Shares tag: CHM • Shares 2 IOCs • Same author: Ahnlab • Published within a month
Shares tag: CHM • Shares 2 IOCs • Same author: Ahnlab • Published within a month
Shares tag: CHM • Shares 2 IOCs • Same author: Ahnlab • Published within a month
Shares tag: CHM • Shares 2 IOCs • Same author: Ahnlab • Published within a month
Shares tag: CHM • Same author: Ahnlab • Published within a month